Migration of ISO/IEC 27001:2013 to ISO/IEC 27001:2022

As the digital landscape continues to transform, so too does the realm of information security. The release of ISO/IEC 27001:2022 marks a pivotal moment in the realm of cybersecurity standards, offering organizations a renewed framework to address the ever-shifting challenges of safeguarding sensitive information. In this blog, we delve into the key changes and enhancements that distinguish the latest iteration from its predecessor, guiding you through the essential considerations and benefits of migrating your security management practices from ISO/IEC 27001:2013 to ISO/IEC 27001:2022.

 

Key timescale for transition as defined by International Accreditation Forum Inc. in Mandatory Document - IAF MD 26:2022:

  • Accreditation Body (AB) to be ready to assess ISO/IEC 27001:2022 no later than 30th April, 2023
  • Initial assessment by AB to ISO 27001:2022 to begin no later than 30th April, 2023
  • AB transitions of Conformity Assessment Bodies (CABs) should be completed by 31st October, 2023
  • Initial certification by CAB to ISO/IEC 27001:2022 to begin no later than 31st October, 2023
  • CAB transitions of certified clients completed by 31st October, 2025

 

High Level Summary of changes are:

  • The title is changed to ISO/IEC 27001:2022 Information security, Cybersecurity and Privacy Protection — Information security management systems — Requirements
  • Clauses 9.2 and 9.3 are split as below:
    • 9.2.1    General
    • 9.2.2    Internal audit programme
    • 9.3.1    General
    • 9.3.2    Management review inputs
    • 9.3.3    Management review results
  • The order of below two sub-clauses has been interchanged:
  • Although new text has been added and some rearranged, these changes only clarify the requirements and do not add new ones to the standard.
  • Main changes in Annex - A
    It's very clear that ISO 27001 divided controls based on building Information Security Capability (i.e. People, Process & Technology + Physical Security.
    Controls are regrouped into 4 domains instead of the previous 14 domains:
    • A.5.          Organizational (37 controls);
    • A.6.          People (8 controls);
    • A.7.          Physical (14 controls); and
    • A.8.          Technological (34 controls)
  • 11 new controls introduced to address the evolvement in technologies and industrial practices:
    • A.5.7     Threat intelligence
    • A.5.23 Information security for use of Cloud services
    • A.5.30 ICT readiness for business continuity
    • A.7.4     Physical security monitoring
    • A.8.9     Configuration Management
    • A.8.10 Information deletion
    • A.8.11 Data masking
    • A.8.12 Data leakage prevention
    • A.8.16 Monitoring activities
    • A.8.23 Web filtering
    • A.8.28   Secure coding
  • The outdated '6.2.2 Teleworking' has been updated to '6.7 Remote working'
  • Similar controls integrated to become one main control; reducing redundancy (with previous 57 controls being merged into 24 controls)

  • Total no. of controls reduced from previous count of 114 controls to 93 controls.

  • Controls have also been assigned in different attributes for easier classification and management:
    • Control type: Preventive, Detective, Corrective
    • Information security properties: CIA
    • Cybersecurity concepts: Identify, Protect, Detect, Respond, Recover
    • Operational capabilities: e.g. Continuity, Physical security, Information security event management
    • Security domains: Governance and Ecosystem, Protection, Defence, Resilience

 

Incorporating these changes during the migration ensures that your organization is equipped to navigate the evolving cybersecurity landscape with confidence and resilience.



Dive into the world of regulatory compliance with Kamran specializing in Information Security Consulting for ISO 27001, HIPAA, UIDAI, PCI-DSS etc. a seasoned professional and Lead Compliance Officer. As being a compliance enthusiast, an industry insider, or a curious learner, thought-provoking articles will unravel the challenges and opportunities inherent in compliance, fostering a deeper understanding of its significance in today's dynamic business landscape. Join on this informative journey as to explore compliance through the lens of a true leader.


Related Articles..

Migration of ISO/IEC 27001:2013 to ISO/IEC 27001:2022

As the digital landscape continues to transform, s...